SPKT: Secure Port Knock-Tunneling, an Enhanced Port Security Authentication

Mechanism Mehran Pourvahab1, Reza Ebrahimi Atani1, 2, Laleh Boroumand3

1Department of Information Technology, University of Guilan, Rasht, Iran 2Department of Computer Engineering, University of Guilan, P.O. Box 3756, Rasht, Iran

3Department of Computer System and Technology, University of Malaya, 50603 Kuala Lumpur, MALAYSIA mehran.pourvahab@iaul.ac.ir, rebrahimi@guilan.ac.ir, laleh.b127@gmail.com

Abstract — In recent years, there has been an increasing interest in the authentication process due to the key role that it has in the network security. Port Knocking (PKn) is an authentication method in which data transmits through the closed ports. This method is prone to attacks when attackers sniff the network. This paper proposes a new method which is called “Secure Port Knock-Tunneling” to eliminate both DOS-Knocking and NAT-Knocking attacks. The possibility of implementation of this method is investigated on the Mikrotik devices.

Keywords: Port security; Port Knocking; Authentication; DOS-knocking attack; Network Access Translation; Tunnelling.

I. INTRODUCTION

Nowadays, Network security protocols and policies are essential elements in Internet security devices that provide traffic filtering, integrity, confidentiality, and authentication

Recent developments in remote communication have highlighted the need of a reliable authentication process. However, providing secure connections, which are established on public networks, is not simple at all. Leaving a port open to the public is an invitation for an intruder. The safe network should be inaccessible for an intruder, but any inaccessible network is useless in that situation. Lots of services exist that should be accessible for public while the others should be useable by authenticated users. Unfortunately, most services such as HTTP or SMTP need to be open for everyone to see.

Open port that is used by each service being considered as a threat. Therefore, monitoring and controlling the port accessibility can be a reliable assurance for having secure connectivity. Port knocking is a method that can hide services from attackers via transmitting data on the closed ports. Hereinafter basic PKn and related attacks are explained.

A. Port-Knocking

In computer networking, port knocking is a method of externally opening ports on a firewall by generating a connection attempt on a set of pre-specified closed ports [4]. In other word, Port knocking is an authentication method that is used for transmitting data on the closed port. Once a correct

sequence of connection attempts is received, the firewall rules are dynamically modified to allow the host which sent the connection attempts to connect over specific port(s). In fact, client who wants to use services should start an authentication process with sending non-reply packet to server [1]. Therefore, an attacker who is monitoring the network cannot detect server. There is a monitoring system in the server-side that stores the log of knocking process. When the authentication pattern is completed then server opens a port for the valid user and the trusted connection is established between client and the server.

So far several port knocking schemes have been accused of offering “security through obscurity”, since it is trivially easy to detect and steal knocks in non-cryptographic systems [8]. Although one should make a distinction between flawed implementations which are only secure if the details of the system are unknown, and the concept of port knocking as the concept of port knocking is not fundamentally flawed. Since revealing the presence of a service can only help an adversary the notion of concealing services from unauthenticated users is a potentially useful one.

There are some attacks that can affect PKn performance which let a malicious user abuse the connection. Although, PKn can make the authentication process safer than before, it faces some situations, which make the network vulnerable. DOS-Knocking and NAT-Knocking attacks are some of the well known attacks on PKn mechanisms.

One of these situations happens when attackers send random packets to the server repeatedly. Server should allocate a buffer for remaining log of each client until PKn complete. Therefore, DOS-Knocking leads to occupy the significant amount of memory [2].

The other situation occurs when monitoring system cannot distinguish trusted users from others. This scenario arises when Network Address Translate (NAT) is used in the network. As a result, all the users have the same address outside the local network. Hence, when one user completes the PKn process and gets permission for accessing to the server, all the clients which are located behind the similar NAT can use the service [3, 4].

2012 IEEE Symposium on Computers & Informatics

978-1-4673-1686-6/12/$26.00 ©2012 IEEE 145

This paper presents a novel port knocking approach in which PKn authentication process is divided into two phases. First phase eliminates the DOS-Knocking while the second part abolishes the NAT-Knocking problem. This new method is known as SPKT: Secure Port Knock-Tunneling, which is an enhanced port security authentication mechanism. To the best of the authors’ knowledge, there are not enough studies in PKn. Therefore, it can be a suitable field for researchers who are working on the network security and want to use a new method for combating attackers or anonymous users.

The rest of the paper is structured as below: in section II some recent studies on the PKn are reviewed. The SPKT technique is presented in section III and after that implementation results of the method are investigated on Mikrotik RB1100 router board and presented in section IV and finally in section V the paper is concluded.

II. RELATED WORK

A recent study by D. Worth [1] has combined finger print and port knocking for authentication method. Also a firewall knock operator, which is a tool that can support both shared (plain) and encrypted port sequence, was introduced. In 2005, researchers explored the limitations of PKn and highlighted the issues which can put the network in danger [6]. Between 2005 and 2010, most of the papers worked on the encryption method for port sequence [2, 7].

The Silent Knock method is the result of the conducted studies during that time. In this approach, AES block cipher and MD4 hash function are applied to increase to increase the security of proposed PKn but the simulation results shown that Silent knock has a reasonable overhead [8].

In the last two years, there are some attempts to challenge the original concept of port knocking. Al-Bahadili and H.Hadi suggested the hybrid port knocking for acquiring security. In their methods TCP packet had a payload that indicates the content of the service. This feature increases the capability of system [9]. The other approach that offered secure authentication was presented by Liew et al., although this method could not eliminate the NAT-Knocking attack; it provided security through using IPSec and One Time Password (OTP) mechanisms. Furthermore, some studies are done for eliminating the weakness of SPA (single packet authentication) [10].

Most of the methods that are mentioned above cannot

eliminate the two well know attacks: NAT-knocking and DOS-Knocking. The proposed PKn mechanism in this paper: SPKT, can achieve this goal and it is described in the next section.

III. SECURE PORT KNOCK-TUNNELING

Secure Port Knock-Tunneling (SPKT) is the new method which is presented in this paper. It is proposed to counter back NAT-knocking and DOS-Knocking attacks and also it can increase the protection of the authentication process.

SKPT has two phases for securing the authentication mechanism, which are port knocking and tunneling. First stage can solve the DOS-Knocking attack while the second one removes the NAT-Knocking problem.

Figure1 illustrates a connection in which client want to

establish a connection to SSH server after passing the SPKT authentication. Client starts the SPKT process as a port knocker via sending a UDP packet to the server.

Figure 1. Secure Port Knock-Tunneling (SPKT)

The UDP packet contains Ethernet header, IP header, UDP header, data text passphrase and Ethernet trailer. This mechanism uses UDP because it does not require ACK from server. Without responding packet, the network is less vulnerable as mentioned before. Besides, in the previous port knock processes, when client sends a valid sequence, connection establishment is done but in the SPKT it should send the legal sequence with valid text passphrase. Figure 2 shows the first phase of SKPT in details. After PKn step is finished successfully, then firewall open one port for the client and triggers the VPN connection on it.

As an example which is shown in figure 2, the PKn sequence is completed after four knocks. In this example, the source node with 123.123.123.123 IP address starts SPKT and send UDP packet on port 3456. Server checks the passphrase because the port number is valid. Then if passphrase is similar to sec-pass1, server buffers the information for 10 second in the list that is called temprory1 in the example. Otherwise it

146

means the malicious user sends packet and server does not allocate memory space for it and drops it. Therefore, DOS-Knocking problem does not occur anymore. For next knock besides checking the secret text server must check whether the IP address exists in temporary list or not. This process continues until information of four knocks store in the buffer. The whole process should take only 40 seconds. If each packet cannot arrive to server side before 10 seconds, buffer will flush automatically and the process should be started once again. But if the PKn process was successful then the second phase will start.

In the tunneling part authenticated user who passes the

PKn process, should connect to the SSH server through tunnel. Therefore, client must bypass the VPN authentication. Each session will be open for 30 minutes then it will be closed automatically. User who wants to use the channel for a long time should send port sequence again before the threshold time expires.

Figure 2. Illustration of the port knocking phase of SPKT

IV. IMPLEMENTATION RESULTS

The possibility of Secure Port Knock-Tunneling scheme is investigated on the Mikrotik devices. For this a RouterBOARD 1100 (RB1100) [5], PowerPC 800MHz MPC8544/E PowerQUICC III network processor is used. RB1100 is faster than any other MikroTik product. The heart of this device is a new state of the art powerPC networking processor which

places this device right on top of MikroTik product line. It has thirteen individual gigabit Ethernet ports, two 5-port switch groups, and includes Ethernet bypass capability. RB1100 also has a SODIMM RAM slot for upgradable memory, two microSD card slots, a beeper and a serial port. The RB1100 comes in a 1U aluminum rackmount case. Power is now more affordable than ever.[1] Use RB1100 as a

147

Backbone router or Firewall, It can handle up to 400,000 pps or 3.2Gbps full duplex.

As explained in the last section the SPKT

mechanism is applied in RB1100 as shown in Figure 1 and 2. The scripts which are used for knocking in the client side and also server side are shown in Figure 3 and 4.

As the scripts describe SPKT can easily counter back in the DOS-knocking and NAT-knocking attacks.

Figure 3. Sample code performing the SPKT in the client Side.

V. CONCLUSIONS AND FUTURE WORK

The analysis of port knocking authentication methods has revealed both some design flaws and implementation problems that could provide access to unauthorized users. SPKT is the novel method presented in this paper that improves port knocking authentication mechanism. It can easily remove the DOS-knocking and NAT-knocking attacks. Therefore, the connection which is established based on the SPKT is more reliable than previous methods. This method has a four knock scheme that should be finished in the specific period otherwise the process should start again. Working on the port sequence selection suggested as a future work.

# Knock Server Side Script # # dec/01/2011 00:25:10 by RouterOS 5.9 # software id = P09Z-NKBS # /ip firewall layer7-protocol add name=knock1 regexp="^sec_pass1\$" add name=knock2 regexp="^sec_pass2\$" add name=knock3 regexp="^sec_pass3\$" add name=knock4 regexp="^sec_pass4\$" /ip firewall address-list #IP address list for Tunneling connection add address=192.168.215.10-192.168.215.20 \ disabled=no list=Tunnel_Secured_Address /ip firewall connection tracking set enabled=yes generic-timeout=10m \ icmp-timeout=10s \ tcp-close-timeout=10s \ tcp-close-wait-timeout=10s \ tcp-established-timeout=1d \ tcp-fin-wait-timeout=10s \ tcp-last-ack-timeout=10s \ tcp-syn-received-timeout=5s \ tcp-syn-sent-timeout=5s \ tcp-syncookie=no \ tcp-time-wait-timeout=10s \ udp-stream-timeout=3m udp-timeout=10s \ /ip firewall filter add action=add-src-to-address-list \ address-list=temporary1 \ address-list-timeout=10s \ chain=input comment=\ "<<<----- Listen UDP:3456 ----->>>" \ disabled=no dst-port=3456 \

layer7-protocol=knock1 protocol=udp add action=add-src-to-address-list \ address-list=temporary2 \ address-list-timeout=10s \ chain=input comment=\ "<<<----- Listen UDP:4567 ----->>>" \ disabled=no dst-port=4567 \ layer7-protocol=knock2 protocol=udp \ src-address-list=temporary1

# Clint Side Script / Port Knocker # # Knock Server IP : 111.111.111.111 # UDPStartup() $socket = UDPOpen("111.111.111.11", 3456) $status = UDPSend($socket, "sec_pass1") UDPCloseSocket($socket) $socket = UDPOpen("111.111.111.111", 4567)$status = UDPSend($socket, "sec_pass2") UDPCloseSocket($socket) $socket = UDPOpen("111.111.111.111", 5678)$status = UDPSend($socket, "sec_pass3") UDPCloseSocket($socket) $socket = UDPOpen("111.111.111.111", 6789)$status = UDPSend($socket, "sec_pass4") UDPCloseSocket($socket) UDPShutdown()

148

REFERENCES [1] D. Worth, “COK: Cryptographic one-time knocking,” 2004,

Talk slides, Black Hat USA, pp. 19-25.

[2] A. I. Manzanares, J. T. Marquez, J. M. Estevez-Tapiador, J. Cesar Hern´andez Castro, “Attacks on port knocking authentication mechanism,”, Computational Science and Its Application, ICCSA 2005, pp. 1292-1300.

[3] T. Popeea, V. Olteanu, L. Gheorghe, R. Rughinis, “Extension of a port knocking client-server architecture with NTP synchronization,” 10th Roedunet International Conference (RoEduNet), 2011, pp. 1 - 5.

[4] S. Jeanquier, “An Analysis of Port Knocking and Single Packet,” MSc Thesis, Information Security Group, Royal Holloway College, University of London, 2006.

[5] http://routerboard.com/RB1100

[6] R. DeGraaf, J. Aycock, M.J. Jacobson, “Improved Port Knocking with Strong Authentication,” 21st Annual Computer Security Applications Conference, 2005, pp. 451-462.

[7] P. Iyappan, K. S. Arvind, N. Geetha, S. Vanitha, “Pluggable Encryption Algorithm In Secure Shell (SSH) Protocol,” Second International Conference on Emerging Trends in Engineering Tecknology, 2009, pp. 808-813.

[8] E. Y. Vasserman, N. Hopper, J. Laxson, J. Tyra, “SilentKnock: practical, provably undetectable authentication,” , International Journal of Information Security, Vol. 8, No. 1, February 2009, pp. 121-135.

[9] H. Al-Bahadili, A.H. Hadi, “Network Security Using Hybrid Port Knocking,” International Journal of Computer Science and Network Security (IJCSNS),Vol. 10, No.8, 2010, pp. 8-12.

[10] J.H. Liew, S. Lee, I. Ong, H.J. Lee, H. Lim, “One-Time Knocking framework using SPA and IPsec,” 2nd International Education Technology and Computer, 2010, pp. 209-213.

Figure 4. Sample code to perform the SPKT in the Server Side.

add action=add-src-to-address-list \ address-list=temporary3 \ address-list-timeout=10s \ chain=input comment=\ "<<<----- Listen UDP:5678 ----->>>" \ disabled=no dst-port=5678 \ layer7-protocol=knock3 protocol=udp \ src-address-list=temporary2 add action=add-src-to-address-list \ address-list=Secured_Address \ address-list-timeout=30m \ chain=input comment=\ "<<<----- Listen UDP:6789 ----->>>" \ disabled=no dst-port=6789 \ layer7-protocol=knock4 protocol=udp \ src-address-list=temporary3 add action=accept chain=input \ comment="Input Accept \ >>> Secured_Address" \ disabled=no protocol=gre \ src-address-list=Secured_Address add action=drop chain=input \ comment="Input Tunnel Drop <> All IPs" \ disabled=no protocol=gre \ src-address-list=Secured_Address add action=accept chain=input comment=\ "Input Tunnel Accept>>> \ Tunnel_Secured_Address" \ disabled=no dst-port=22 protocol=tcp \ src-address-list=Tunnel_Secured_Address add action=drop chain=input comment=\ "Input Tunnel Drop <> \ Tunnel_Secured_Address" \ disabled=no dst-port=22 protocol=tcp \

src-address-list=Tunnel_Secured_Address

149